[squid-users] Squid within a network namespace
Francois
rigault.francois at gmail.com
Sun Apr 11 16:46:41 UTC 2021
Hi Squid
I am running my development tools and VMs in a dedicated network
namespace on my laptop (through Linux "netns"), so they are fully
isolated from the rest of my network. I would like to set-up a proxy
so that if there is a need to connect to the outside, I could set-up
some fine grained ACL to open some very specific HTTP traffic. For
this to work with Squid, there must be a socket opened within the
namespace, while Squid is still running on the default namespace.
This can be achieved without modifying the code by using socat for
example, where a socat running within the namespace sends traffic to a
Unix socket, and another socat outside the namespace, reads from the
Unix socket, and sends the traffic to Squid... it's quite some
plumbing effort, and Squid won't be able to know from which VM the
traffic originates (the X-Forwarded-For is localhost)
Seeing that HAProxy implemented something
(https://github.com/haproxy/haproxy/commit/b3e54fe387c7c1ea750f39d3029672d640c499f9)
so that the process moves into the namespace just for the time of the
socket creation, I came up with a similar change for Squid
(https://github.com/freedge/squid/commit/a778666d8f4760448e29e4a0cc75dcd305b40d02).
As this is a Linux only change, and also the community lived without
it so far, I am sending this mail to see if there is any interest in
this feature, if there was ever any request for it in the past?
Cheers!
More information about the squid-users
mailing list